BushidoToken CTF

I had to request access to the CTF via email (per GitHub), and this is the email I got in response:

Insider Threat CTF

Version 1

To start, we were given a developer's GitHub and told to find some information. To start, we can just look at their profile page and see that their job role is a Backend programmer for Software Consultants Inc.. A quick look at Epieos gives their name as Émilie Marseille.

To find the API key, we can look in their Login Page.js file and see that it is hardcoded at the top: aJFRaLHjMXvYZgLPwiJkroYLGRkNBW. In that same file, we can see their username is EMarseille99 and their base64-encoded password is UGljYXNzb0JhZ3VldHRlOTk=, which decodes to PicassoBaguette99.

Their account doesn't have any stars or Gists, so we have to get a bit more creative to find their university name. There are no college-related accounts in her followers, she doesn't follow anyone, and she does not belong to any GitHub Organizations. I decided to research the name and found her Instagram account, which has a QR code that links to her Steam account. Unfortunately there was no further info on the Steam profile, so I dug deeper into the Instagram.

There was one interesting building photographed on the account, which I identified as the Gardens by the Bay nature park in the Central Region of Singapore, but that didn't help. The 10 accounts she follows are all unrelated to school as well, and she is not tagged in any photos.

Next I found her LinkedIn, which had the answer we were looking for: Sorbonne Universitié.

To categorize the hacking tools we saw on her profile:

• Lateral movement & privesc: Empire, Minikatz, Bloodhound, Responder
• Remote control: Meterpeter, QuasarRAT, PoshC2
• Recon: nmap
• Crypto mining: xmrig
• Password cracking: hashcat

For question #3, we already know her LinkedIn, Instagram, and Steam accounts, so we just need to look for the university club that she was a part of. According to the "Education" section of her profile, she was into eSports, so she was likely a member of the Sorbonne Université Esport team.

Question #4 is all about the Instagram photographs we looked at earlier:

• Holiday destination: Singapore, Republic of Singapore
• Home city: Paris, France
  • Posted here, we can reverse search this image and determine that it is of the Square Jean-XXIII in Paris, France.
• Where family is based: Dubai, UAE
  • We started with this photo and this photo, and when I reverse searched the second one and looked for similar photos, almost all of the results were from Dubai

Question #5 is about geolocating a city based on a photograph of the company office building. Using the street signs in the photograph, we can Google "Hippodrome Theatre" + "St. Martin's Church" + "Alexandra Theatre" and determine that the city in question is Birmingham, UK.

Question #6 wants us to geolocate an IP camera based on a photograph of the landscape. This was easy enough to do, since the screencap showed the camera's name, so we didn't have to research solely based on the pictured image. Searching up "a view from the dome" + ip camera tells us that the camera is installed at the University of Notre Dame in Indiana, USA.

Version 2

To start the challenge, we are directed to this Tweet by what appears to be a disgruntled employee. The Tweet leads us to this YouTube video:

Scanning the QR code that appears to be associated with VKontakte takes us to this Pastebin. There was a lot of HTML-formatted data, but I decided to skip parsing over it until I confirmed that there wasn't something easier to pull out. Luckily for me, there was.

Answer #2: https://pastebin.com/wN9pFB7p

Scrolling to the bottom of the paste shows us the user's GitHub profile, which follows the same naming convention as the other two accounts.

Answer #1: https://github.com/RU5514N-H4CK3R

If we look at the user's repositories, we can see that there is only one non-forked repository, called Testing123. Looking in the singular file, coursework`, nets some credentials:

• r.troll1991@gmail.com : NE11dGg0UnVzczFhIQ==
  • Decoded from base64: 4Muth4Russ1a!
  • I tried logging into the Gmail, but no such luck
• 11511165 : Roman Trollvinsky

Question #3 asks about a LinkedIn account, so we can search up Roman Trollvinsky site:linkedin.com and find the only result:

Answer #3: https://www.linkedin.com/in/roman-trollvinsky-66ab5b1b4

Question #4 asks what the PoI's football team is, so the next thing I do is check their LinkedIn interests. There's nothing there, so we can check their activity next. Another dead end, the only activity is a deleted YouTube video about NLBrute 1.2.

In case the answer was on another indexed site, I attempted to expand our search criteria to allow for any site that mentioned the unique (fake) last name: Roman "Trollvinsky". Again, there were no additional hits. I decided to run the email through Epieos in case there was some kind of archived Google+ post or something, but there was no new information.

I circled back to the original Twitter account to see if there were any likes that would indicate his football team of choice, but the only like was a BLM shirt, nothing about sports. There is nothing else on the GitHub account, the only activity was the school repository and the original forks made; no gists or stars either.

I tried scanning the Paste for any of the team names, and even rendered the HTML in case there was anything else hiding in there, but no dice. The Paste was made by a guest, so there isn't an account to check. Searching Google for "Ru5514nH", "4Muth4Russ1a!", "RU5514N-H4CK3R", and "r.troll1991@gmail.com" did not yield any new information. I tried to check if there was an email address associated with the commits that would give clues as to the sports team via .patch, but there was not.

Reverse searching the LinkedIn profile picture and looking for any of the soccer teams in conjunction with "Kiev Polytechnic Institute" did not yield any results. The only one of the teams associated with Ukraine was :Shakhtar Donetsk", so I figured that was as good a guess as any.

Answer #4: Shakhtar Donetsk

I later realized that the team's Twitter account was the only account that Roman was following! A great initial oversight on my part.

The next question was asking for the PoI's real name, which we've known since we found the LinkedIn.

Answer #5: Roman Trollvinsky

Same with their email address.

Answer #6: r.troll1991@gmail.com

And their password.

Answer #7: 4Muth4Russ1a!

And their location, courtesy of LinkedIn.

Answer #8: Odessa Metropolitan Area

And their school!

Answer #9: Kiev Polytechnic